b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Increased Management Oversight of the\n                  Sensitive but Unclassified Waste Disposal\n                  Process Is Needed to Prevent Inadvertent\n                     Disclosure of Personally Identifiable\n                                 Information\n\n\n\n                                          May 8, 2009\n\n                            Reference Number: 2009-30-059\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review\n process and information determined to be restricted from public release has been redacted from\n                                          this document.\n\n Redaction Legend:\n 3d = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                    DEPARTMENT OF THE TREASURY\n                                                          WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                     May 8, 2009\n\n\n MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES\n\n FROM:                           Michael R. Phillips\n                                 Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 Increased Management Oversight of the Sensitive\n                                 but Unclassified Waste Disposal Process Is Needed to Prevent\n                                 Inadvertent Disclosure of Personally Identifiable Information\n                                 (Audit # 200830008)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) has established effective controls to ensure that security measures related to the disposal of\n tax and other sensitive but unclassified (SBU) information are adequate to prevent disclosure of\n personally identifiable information (PII). 1 This audit was conducted as part of our Fiscal Year\n 2008 Annual Audit Plan.\n\n Impact on the Taxpayer\n Identity theft occurs when someone uses PII such as an individual\xe2\x80\x99s name, Social Security\n Number, credit card numbers, or other account information, to commit fraud and other crimes.\n In November 2007, the Federal Trade Commission reported that, for the eighth year in a row,\n identity theft was the number one consumer complaint nationwide and that each year it affects\n more than 10 million Americans. Consumers have lost more than $45 billion to identity thieves.\n Taxpayers need to be assured that the IRS is taking every precaution to protect their private\n information from inadvertent disclosure. This includes, but is not limited to, evaluating the\n integrity and security of taxpayer data and sensitive information during the collection, disposal,\n and destruction of SBU waste/PII generated in paper form by the daily business of tax\n administration.\n\n\n\n\n 1\n     Tax returns and return information are to be considered SBU information. PII is a specific type of SBU.\n\x0c                     Increased Management Oversight of the Sensitive but\n                   Unclassified Waste Disposal Process Is Needed to Prevent\n                  Inadvertent Disclosure of Personally Identifiable Information\n\n\n\nSynopsis\nMore than 130 million taxpayers entrust the IRS with sensitive financial and personal data, much\nof it on paper documents requiring SBU waste disposal. The IRS has provided guidance to\naddress the security of sensitive taxpayer information but greater oversight is needed with\nrespect to the disposal of SBU paper waste.\nSpecific responsibilities associated with the SBU waste disposal program need to be clearly\ndefined and delineated. Without clearly defined responsibilities and ongoing monitoring to\nensure that controls are functioning as intended, the IRS cannot ensure that sensitive information\nis given the protection needed to prevent unauthorized disclosure or dissemination.\nIn addition, the IRS needs greater standardization over the development and administration of\ncontracts for the disposal of SBU waste. Contracts for disposing of SBU waste and PII did not\ncontain consistent specifications for key services. Further, oversight to ensure vendors complied\nwith contract specifications or other IRS requirements was not adequate.\nWe also found that policies related to protection and disposal of paper documents containing PII\nneed to be more widely communicated and adhered to by employees and contractors. At every\nlocation we visited, we found documents containing PII or other SBU information in regular\nwaste containers and/or dumpsters. If security policies are not adequately communicated and\nadhered to, sensitive taxpayer and employee data are at an increased risk of disclosure or other\nimproper usage.\n\nRecommendations\nWe recommended that the Chief, Agency-Wide Shared Services, work with the Deputy\nCommissioner for Operations Support, as necessary, to establish authority and responsibility at\nthe national level for the disposal and destruction of SBU waste/PII and establish policies and\nprocedures to address internal control weaknesses. The Chief, Agency-Wide Shared Services,\nshould ensure that all SBU waste contracts (either in place or to be awarded) include the Federal\nsecurity requirements for SBU waste/PII disposal and destruction. Additionally, improvements\nto oversight and management of SBU waste disposal contracts should include standardization of\ncritical elements and the creation of a national database of all IRS facilities, the contracts\ncovering SBU waste disposal, and the contractors that serve them. Further, the Chief,\nAgency-Wide Shared Services, should provide complete, updated, and accurate guidance and\neducation to all IRS management, employees, and contractors involved in any aspect of the\ncollection, disposal, or destruction of SBU waste/PII.\n\n\n\n\n                                                                                                 2\n\x0c                    Increased Management Oversight of the Sensitive but\n                  Unclassified Waste Disposal Process Is Needed to Prevent\n                 Inadvertent Disclosure of Personally Identifiable Information\n\n\n\nResponse\nIRS management agreed with all of our recommendations. The IRS has taken actions to improve\nthe SBU Waste Disposal Program, including enhanced oversight and management of SBU/PII\nwaste disposal contracts. Management has developed Standard Operating Procedures to allow\nfor consistent oversight of the National Document Destruction Contract and the handling of\nSBU/PII information. Management has also created a Performance Work Statement and\nPerformance Requirements Summary to provide consistent national policies regarding critical\nelements such as the maintenance, storage, and updating of background investigations and\ndisclosure safeguards and certificates of destruction. Responsibilities for monitoring vendor\nadherence to contract requirements have been clearly defined and assigned. In addition, the IRS\nhas revised the Internal Revenue Manual on Information Protection, to include SBU and PII\nstandards and terminology. Finally, Agency-Wide Shared Services will be partnering with the\nCommunications and Liaison function and the Privacy Office to develop a communications plan\nto ensure continued awareness around policies and procedures for the destruction of PII and SBU\ninformation for both employees and contractors. Management\xe2\x80\x99s complete response to the draft\nreport is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or Margaret E.\nBegg, Assistant Inspector General for Audit (Compliance and Enforcement Operations), at (202)\n622-8510.\n\n\n\n\n                                                                                              3\n\x0c                           Increased Management Oversight of the Sensitive but\n                         Unclassified Waste Disposal Process Is Needed to Prevent\n                        Inadvertent Disclosure of Personally Identifiable Information\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Internal Revenue Service Has Provided Guidance to Address\n          the Security of Sensitive Taxpayer Information ..........................................Page 3\n          Specific Responsibilities Associated With the Sensitive but Unclassified\n          Waste Disposal Program Need to Be Clearly Defined and Delineated ........Page 4\n                    Recommendations 1 and 2: ..............................................Page 7\n\n          Increased Standardization Over the Development and Administration of\n          Contracts for Disposal of Sensitive but Unclassified Waste May\n          Improve Security...........................................................................................Page 8\n                    Recommendation 3:........................................................Page 10\n\n                    Recommendation 4:........................................................Page 11\n\n          Policies Related to Protection and Disposal of Paper Documents\n          Containing Personally Identifiable Information Need to Be More\n          Widely Communicated and Adhered to by Employees and Contractors .....Page 12\n                    Recommendation 5:........................................................Page 13\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 14\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 16\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 17\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 18\n\x0c          Increased Management Oversight of the Sensitive but\n        Unclassified Waste Disposal Process Is Needed to Prevent\n       Inadvertent Disclosure of Personally Identifiable Information\n\n\n\n\n                     Abbreviations\n\nCOTR           Contracting Officer\xe2\x80\x99s Technical Representative\nIRM            Internal Revenue Manual\nIRS            Internal Revenue Service\nPII            Personally Identifiable Information\nSBU            Sensitive But Unclassified\n\x0c                        Increased Management Oversight of the Sensitive but\n                      Unclassified Waste Disposal Process Is Needed to Prevent\n                     Inadvertent Disclosure of Personally Identifiable Information\n\n\n\n\n                                            Background\n\nIn November 2007, the Federal Trade Commission reported that, for the eighth year in a row,\nidentity theft was the number one consumer complaint nationwide and that each year it affects\nmore than 10 million Americans. Identity theft occurs when someone uses Personally\nIdentifiable Information (PII) such as an individual\xe2\x80\x99s name, Social Security Number, credit card\nnumbers, or other account information, to commit fraud and other crimes. The same report\nstated that consumers have lost more than $45 billion to identity thieves, and it takes an average\nof 328 hours per person to repair the damage. The Federal Trade Commission has stated that\npaper documents containing PII continue to be one of the primary ways identity thieves get\nprivate information.\nLegislation such as the Privacy Act of 1974, 1 the E-Government Act of 2002, 2 and the Federal\nInformation Security Management Act of 2002 3 have all given Federal agencies guidelines and\nresponsibilities for protecting personal information, including ensuring its security. The Internal\nRevenue Service\xe2\x80\x99s (IRS) Office of Privacy, Information Protection and Data Security defines PII\nas any combination of information that can be used to uniquely identify, contact, or locate a\nperson and could subsequently be used for identity theft. As the IRS has moved forward in the\nuse of modern technology such as laptops, flash drives, writable media, and Blackberry devices,\nit has rightly focused much of its security efforts and policies on electronic media. However, the\nIRS continues to work with and dispose of large volumes of paper documents containing\nsensitive but unclassified (SBU) taxpayer data that require the same level of protection. 4\nMore than 130 million taxpayers entrust the IRS with sensitive financial and personal data, much\nof it on paper documents requiring protection from disclosure during disposal. Taxpayers need\nto be assured that the IRS is taking every precaution to protect their private information from\ninadvertent disclosure. This includes, but is not limited to, evaluating the integrity and security\nof taxpayer data and sensitive information during the collection, disposal, and destruction of\nSBU waste/PII generated in paper form by the daily business of tax administration.\nThis review was performed at IRS offices in Phoenix, Tempe, and Tucson, Arizona;\nNew Carrollton, Maryland; Holtsville, Garden City, and Westbury, New York; and Ogden, Utah,\nand included questionnaires to 14 Territory Managers 5 across the country during the period\nSeptember 2007 through May 2008. We conducted this performance audit in accordance with\n\n1\n  5 U.S.C. \xc2\xa7 552a (2000).\n2\n  Pub. L. No. 107-347 Title III, Section 301 (2002).\n3\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n4\n  Tax returns and return information are to be considered SBU information. PII is a specific type of SBU.\n5\n  Territory Managers are responsible for Real Estate and Facilities Management and Building Management\nprograms servicing customers in geographically dispersed posts of duty in their assigned territories.\n\n                                                                                                            Page 1\n\x0c                     Increased Management Oversight of the Sensitive but\n                   Unclassified Waste Disposal Process Is Needed to Prevent\n                  Inadvertent Disclosure of Personally Identifiable Information\n\n\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objective.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                            Page 2\n\x0c                       Increased Management Oversight of the Sensitive but\n                     Unclassified Waste Disposal Process Is Needed to Prevent\n                    Inadvertent Disclosure of Personally Identifiable Information\n\n\n\n\n                                    Results of Review\n\nThe Internal Revenue Service Has Provided Guidance to Address the\nSecurity of Sensitive Taxpayer Information\nThe IRS has initiated a number of actions to protect sensitive taxpayer information. In\nJuly 2007, the Office of Privacy, Information Protection and Data Security was established. Its\nmission is to protect PII from unauthorized use, access, disclosure, or sharing and to protect\ninformation systems used for tax information. Within the Office of Privacy, Information\nProtection and Data Security, the Office of Privacy is responsible for ensuring that IRS policies\nand programs incorporate both taxpayer and employee privacy concerns and that the public is\naware of IRS privacy business practices and principles. As one of its first accomplishments, the\nOffice of Privacy developed the Privacy Impact Assessment form to evaluate program\ncompliance with IRS privacy policies. This form is now considered a best practice by the U.S.\nGovernment\xe2\x80\x99s Chief Information Officers\xe2\x80\x99 Council. Through the Office of Privacy, Information\nProtection and Data Security, the IRS has collaborated with other Federal agencies to co-sponsor\nOnGuardOnline.gov, a newly established web site that gives individuals practical tips on how to\navoid Internet fraud, secure their computers, and protect their personal information.\nThe Office of Identity Theft Incident Management has also been established to address the\nincrease in identity theft, data loss trends, and the need for an IRS authority regarding these\nissues. The Office of Identity Theft Incident Management is responsible for administering the\nIncident Management program, the IRS\xe2\x80\x99 PII incident notification process for both taxpayers and\nemployees potentially impacted by IRS data loss incidents. Included in this process is a risk\nassessment of all data loss incidents and possible notification of taxpayers.\nThe Deputy Commissioner for Operations Support recently released emails to all IRS managers\nand employees communicating the importance of protecting electronic and paper documents\ncontaining sensitive information and informing them about the launch of a program called\nOperation R.E.D. 6 The IRS has also taken steps to communicate its expectations to both\nmanagement and employees in regards to the responsibilities and accountability for protecting\ntaxpayer information entrusted to them. The publication Internal Revenue Service Guide to\nPenalty Determinations (Document 11500 [8-2007]) provides a list of common infractions\n(including disclosure of taxpayer information due to carelessness or negligence) and a suggested\nrange of penalties for those infractions.\n\n6\n Operation R.E.D. (Read, Encrypt, and Decide) was a 60-day IRS-wide event to refresh employee awareness of\nexisting policies and procedures about safeguarding and protecting sensitive information.\n\n\n                                                                                                      Page 3\n\x0c                         Increased Management Oversight of the Sensitive but\n                       Unclassified Waste Disposal Process Is Needed to Prevent\n                      Inadvertent Disclosure of Personally Identifiable Information\n\n\nCommissioner of Internal Revenue Service, Douglas Shulman, in his executive message to all\nemployees, stated:\n         \xe2\x80\x9cAs IRS employees, we are entrusted with handling very sensitive taxpayer information\n         every day. In fact, handling sensitive information is so common to us that there is a\n         danger of becoming complacent or careless. This is simply not acceptable. I cannot\n         stress strongly enough the importance of our duty to America\xe2\x80\x99s taxpayers to protect their\n         information and maintain their trust. Our voluntary tax system depends on it.\xe2\x80\x9d\nWhile the above measures may assist the IRS in its efforts to protect sensitive taxpayer\ninformation, greater oversight is needed in some areas.\n\nSpecific Responsibilities Associated With the Sensitive but\nUnclassified Waste Disposal Program Need to Be Clearly Defined and\nDelineated\nDuring our review, we identified several areas where responsibility and accountability related to\nthe protection or disposal of SBU waste were not clearly defined, and monitoring of controls\ndesigned to protect PII from disclosure did not take place.\n\nNo one individual or position was clearly given responsibility for the oversight of\nthe handling of SBU waste and PII at the sites we visited.\nDuring onsite visits to 15 IRS locations, and in questionnaires provided to 14 Territory\nManagers, we attempted to determine who was responsible for the oversight and monitoring of\nthe collection and disposal of SBU waste. Answers varied from site to site and, in some\ninstances, we received contradictory answers from Territory Managers and onsite personnel.\nAmong those identified as having overall responsibility were employees from the Real Estate\nand Facilities Management function, employees from the Physical Security function, Territory\nManagers, and Contracting Officer\xe2\x80\x99s Technical Representatives (COTR). 7 The General Services\nAdministration as well as the property owner for occupied commercial space were also\nmentioned as being responsible.\nIn addition, as of May 2008, we were unable to locate anything in the Internal Revenue Manual\n(IRM) or other policy documents assigning responsibility to perform and document site visits to\nthe shred or burn facilities of businesses contracted to destroy SBU waste. The 13 Territory\nManagers responding to our questionnaire indicated that no official inspection of the shred/burn\ncontractor\xe2\x80\x99s facilities in their territories had been performed within the last 18 months. We\n\n7\n The COTR is a person designated by the Contracting Officer to perform certain administrative tasks related to a\nspecific contract. The primary role of the COTR is to monitor the contractor\xe2\x80\x99s performance, ensure that the\ncontractor delivers what is called for in the contract, and serve as the technical liaison between the contractor and the\nContracting Officer.\n\n                                                                                                                Page 4\n\x0c                        Increased Management Oversight of the Sensitive but\n                      Unclassified Waste Disposal Process Is Needed to Prevent\n                     Inadvertent Disclosure of Personally Identifiable Information\n\n\nfound evidence of only 2 instances where IRS personnel conducted visitations to shred/burn\nfacilities in the past 2 fiscal years. Not all Territory Managers were even able to identify the\ncontractor who provided their shred/burn services or where they were located. None of the four\ncontractor sites we visited had ever received a request from the IRS to inspect their facility or\nonsite records. In fact, one facility had changed its actual physical location during the term of\nthe contract without an IRS site inspection. The change of location (which could invalidate\nmuch of the information used to make the original assessment regarding the security of the SBU\ndata in the facility\xe2\x80\x99s care) should have resulted in a recertification. 8\nA good internal control environment requires that the structure clearly define key areas of\nauthority and responsibility and establish appropriate lines of reporting. IRS management had\nnot addressed this issue. Without clearly defined responsibilities and ongoing monitoring, the\nIRS cannot ensure that sensitive information is given the adequate protection needed to prevent\nunauthorized disclosure or dissemination.\n\nResponsibility for the completion and documentation of background\ninvestigations for contractors handling SBU waste varied at different IRS\nfacilities.\nDuring our onsite visits and in responses to our questionnaires, we again received inconsistent\nand contradictory answers regarding responsibility for the initiation and maintenance of\nbackground investigations and associated files.\nAmong those named as responsible for background investigations were the National Background\nInvestigation Center, General Services Administration, building owners (in commercially owned\nbuildings), the IRS\xe2\x80\x99 procurement function, COTRs, and individual contractors. We received\nsimilar answers with regard to the maintenance of background investigation files. One COTR\nstated that he performed work related to obtaining background investigations but maintained no\npaper files. At other facilities, we were told that contractors maintained the files. We found no\ndocumentation to show that any review of the background investigation files was performed by\nIRS officials. One contracted shred facility informed us that the IRS had not asked about or\nchecked on the background investigations of their employees in 6 or 7 years, and another stated\nthat the IRS had never done such a check.\nWithout complete and proper background investigations for contracted employees, the IRS\ncannot ensure the integrity of these individuals, which puts sensitive taxpayer information at\nincreased risk of theft or unauthorized disclosure or dissemination.\n\n8\n  The IRM states that a business unit requesting services from an outside contractor, requiring the disclosure of\nsensitive information, should coordinate with appropriate Physical Security personnel to determine whether all\nphysical security requirements necessary to protect the sensitive data are addressed. An existing contractor\xe2\x80\x99s ability\nto adequately protect IRS data from unauthorized use or disclosure must be recertified whenever the security\nmeasures employed by the contractor become a matter of concern.\n\n                                                                                                              Page 5\n\x0c                        Increased Management Oversight of the Sensitive but\n                      Unclassified Waste Disposal Process Is Needed to Prevent\n                     Inadvertent Disclosure of Personally Identifiable Information\n\n\n\n Responsibilities had not been defined or delineated to control which IRS sites\n had shredders available or which individuals at IRS sites had keys to SBU waste\n containers.\n We were unable to identify an individual or individuals responsible for maintaining an inventory\n list or other official records regarding which of the approximately 746 IRS sites nationwide had\n shredders available to dispose of SBU waste. Shredding of SBU waste and PH is a key control\n to ensure that sensitive information is not disclosed. Management should be aware of the\n availability of shredders and associated costs when sites have responsibility for disposing of their\n own SBU waste.\n In addition, controls over keys to SBU waste containers were inadequate at the sites we visited.\n At one campus,9 employees from the Facilities Management and Physical Security functions\n distributed keys (to SBU waste containers) to all managers "who wanted them," without\n determining whether an authorized need existed, and without requiring the managers/employees\n to sign appropriate documents to hold them accountable for the keys. At one Federal Building,\n an employee, who had been but was no Ion er res onsible for the su ervision of the onsite\n shredding process,\nL...-          ..........~__<I Also, at one commercially owned building in which the IRS rents space, a\n\n                             iven ke s to the SBU waste containers\n                                                       3(4)\n\' - -_ _- o JAt each site visited, we found that keys to SBU waste container locks were identical,\n not only within the IRS facility, but also identical to keys for the locks on containers for other\n customers of the shred/burn contractors.\n The IRM IO states that access to a locked area, room, or container can only be controlled if the key\n is controlled. As soon as the key is lost or obtained by an unauthorized person, the security\n provided by that particular lock is lost. The IRM also states that keys will be issued only to\n persons having a need to have access to an area, room, or container, and that the number of keys\n will be kept to a minimum. Also, keys issued to individuals are to be kept with the individuals\n and not stored in desk drawers or other unsecured places or shared with other employees.\n Without clearly defined responsibilities and ongoing monitoring to ensure that controls over the\n issuance and maintenance of keys to SBU waste containers are functioning as intended, the IRS\n cannot ensure that sensitive information is given the protection needed to prevent unauthorized\n disclosure or dissemination.\n\n\n 9 The data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and\n forward data to the Computing Centers for analysis and posting to taxpayer accounts.\n 10 IRM 1.16.14.9.4 - Control and Safeguarding of Keys and Combinations.\n\n\n\n\n                                                                                                           Page 6\n\x0c                     Increased Management Oversight of the Sensitive but\n                   Unclassified Waste Disposal Process Is Needed to Prevent\n                  Inadvertent Disclosure of Personally Identifiable Information\n\n\n\nRecommendations\nRecommendation 1: The Chief, Agency-Wide Shared Services, should work with the\nDeputy Commissioner for Operations Support as necessary to establish authority and\nresponsibility at the national level for the disposal and destruction of SBU waste and PII, and\nestablish policies and procedures relevant to the following:\n   \xe2\x80\xa2   Consistent authority and responsibility at all field sites for the oversight of the handling\n       of SBU waste and PII.\n   \xe2\x80\xa2   Consistent national policies regarding the maintenance, storage, and updating of\n       background investigations.\n   \xe2\x80\xa2   Issuance and controls over keys to SBU waste containers and storage areas.\n   \xe2\x80\xa2   Shredders and other SBU waste assets.\nManagement\xe2\x80\x99s Response: IRS management agreed with this recommendation. The IRS\nhas taken actions to improve the SBU Waste Disposal Program including enhanced oversight\nand management of SBU/PII waste disposal contracts. They have developed Standard Operating\nProcedures to allow for consistent oversight of the National Document Destruction Contract and\nthe handling of SBU/PII information, and created a Performance Work Statement and\nPerformance Requirements Summary to provide consistent national policies regarding the\nmaintenance, storage, and updating of background investigations. Controls over keys to SBU\ninformation containers and storage areas will be monitored by the development of a log, and\ndistribution of keys will be kept at a strict minimum. Management will ensure that shredders\npurchased by the IRS are in conformance with the IRS requirements for shred size and\nspecifications.\nRecommendation 2: The Chief, Agency-Wide Shared Services, should also work with the\nDeputy Commissioner for Operations Support, as necessary, to revise the IRM with regards to:\n1) mandating site visits to shred/burn facilities; and 2) establishing minimum standards for the\nperformance of site visits, the documentation required, and maintenance of these files.\nManagement\xe2\x80\x99s Response: IRS management agreed with this recommendation.\nManagement will utilize the Performance Work Statement to achieve establishment of minimum\nstandards for the performance of site visits, the required documentation, and files maintenance,\nalong with mandatory visits to the shred/burn facilities.\nOffice of Audit Comment: Although the IRS\xe2\x80\x99 corrective action is different than the specific\naction recommended, we agree with management\xe2\x80\x99s use of the Performance Work Statement to\naddress this issue.\n\n\n\n\n                                                                                              Page 7\n\x0c                         Increased Management Oversight of the Sensitive but\n                       Unclassified Waste Disposal Process Is Needed to Prevent\n                      Inadvertent Disclosure of Personally Identifiable Information\n\n\nIncreased Standardization Over the Development and Administration\nof Contracts for Disposal of Sensitive but Unclassified Waste May\nImprove Security\nContracts for disposing of SBU waste and PII did not contain consistent specifications for\nessential services. Further, oversight to ensure vendors complied with contract specifications or\nother IRS requirements was not adequate.\n\nContract development\nThe IRS receives shredding services from vendors awarded contracts through a competitive\nbidding process. In some situations, these businesses subcontract various additional services\nsuch as pickup or transportation of SBU waste material from IRS locations to contractor\nfacilities. At the time of our review, there were numerous 11 shred contracts with different\nrequirements covering more than 700 IRS locations. The IRM and Tax Information Security\nGuidelines for Federal, State and Local Agencies and Entities, Safeguards for Protecting\nFederal Tax Returns and Return Information (Publication 1075) contain minimum requirements\nfor external agencies regarding PII and SBU waste including storage, physical security, restricted\naccess, and disposal. IRS contractors should be made aware of and abide by these standards and\nthe IRS should provide for adequate oversight to ensure contractors are meeting these\nrequirements. However, we reviewed eight different contracts for onsite and offsite shredding\nservices and found that the contracts lacked consistency in or were missing requirements for\nseveral key items, including:\n     \xe2\x80\xa2   Six contracts did not include a clause providing for unannounced site visits by IRS\n         personnel. This issue was also corroborated by 5 of the 12 Territory Managers\xe2\x80\x99\n         responses to our questionnaires.\n     \xe2\x80\xa2   Six contracts did not address the minimum requirements for background investigations of\n         any subcontract employees.\n     \xe2\x80\xa2   Three 12 contracts were missing the statements required in the IRM prohibiting the\n         contractors from disclosing any sensitive data which they might have observed.\n\n11\n   We were unable to obtain copies of all contracts for SBU waste disposal and destruction that are currently in\neffect without - according to the IRS - great effort. According to IRS management, copies of contracts are not\nobtainable from a single database by any other identifiers other than a contract number. They are not aware of any\ncomputer information system that manages the contracts for the IRS nationwide and stated that there is no way\nProcurement would know how many shred/burn contracts there are unless we could provide the contract numbers.\nThe copies of contracts we did receive were obtained from the various Territory Managers or their COTRs.\n12\n   One of the three contracts with no nondisclosure statement contained some wording related to nondisclosure\nincluding a space for the contractor to sign, but the wording was not the same as the other contracts and that section\nof the contract had not been signed by the contractor.\n\n                                                                                                               Page 8\n\x0c                        Increased Management Oversight of the Sensitive but\n                      Unclassified Waste Disposal Process Is Needed to Prevent\n                     Inadvertent Disclosure of Personally Identifiable Information\n\n\n     \xe2\x80\xa2   Four contracts contained no requirements for contractors to provide Certificates of\n         Destruction. 13 The other four contracts contained verbiage which varied from\n         \xe2\x80\x9cCertificates to be provided on request\xe2\x80\x9d to \xe2\x80\x9cCertificates to be provided monthly.\xe2\x80\x9d\n     \xe2\x80\xa2   One contract contained a shred size specification different than the specification required\n         by the IRM.\n\nContract oversight\nIRS oversight was not adequate to ensure that vendors met contract specifications or other IRS\nrequirements. For example:\n     \xe2\x80\xa2   Shred locations that we visited were all National Association for Information Destruction,\n         Inc. 14 certified and had conducted their own background investigations on their\n         employees. However, these investigations would not have met IRS requirements or\n         standards due to their limited scope.\n     \xe2\x80\xa2   We identified situations where the actual removal and destruction process for SBU waste\n         did not correspond to the elements within the contract. At two of the IRS locations where\n         shredding services were performed onsite, the actual shredding process was completed\n         outside of the physical structure. This was not in accordance with the contract and\n         greatly increased the risk that papers could fly away unnoticed during the shredding\n         process.\n     \xe2\x80\xa2   In some instances, Certificates of Destruction were provided to the IRS on different time\n         intervals and with different documentation than called for in the contracts.\n     \xe2\x80\xa2   At one shred facility, the onsite manager explained that there was an additional contractor\n         involved in the transportation of SBU waste from the IRS locations to their facility, and\n         that the IRS had contracted the services. We could find no reference to this in the\n         contract between the IRS and this facility. The contract did state, \xe2\x80\x9cThe material shall\n         remain in control of the contractor at all times until destroyed.\xe2\x80\x9d IRS management told us\n         that they were unaware of the additional contractor involvement. Any additional\n         contractors involved in the disposal or destruction of SBU waste would require either\n         completion of a background investigation or continual IRS escort during the process.\n         Another contract we reviewed had changes to the collection and pickup process after it\n         was awarded. We were informed that circumstances and/or conditions had changed\n         during the course of the contract and that both the contractor and IRS agreed to the\n\n13\n   A certificate created to document the destruction of records according to established policies and procedures.\n14\n   National Association for Information Destruction, Inc. is the international trade association for companies\nproviding information destruction services. Its mission is to promote the information destruction industry and the\nstandards and ethics of its member companies.\n\n\n\n                                                                                                             Page 9\n\x0c                        Increased Management Oversight of the Sensitive but\n                      Unclassified Waste Disposal Process Is Needed to Prevent\n                     Inadvertent Disclosure of Personally Identifiable Information\n\n\n        changes made. However, no formalized addendum or other written document was\n        available detailing the changes agreed to.\nAs of May 2008, IRS management has established no standard nationwide contract requirements\nor administrative responsibilities related to the contracts for disposal of SBU waste material,\nspecifically paper. These issues have been left to the discretion of individual COTRs and/or\nTerritory Managers. This inconsistent approach and, in some cases, deviation from prescribed\nIRS requirements significantly increases the risk of inadvertent and unauthorized disclosure of\nsensitive PII.\nIRS management is actively moving forward towards completion of a national contract with\nNISH 15 to provide for the disposal and destruction of SBU waste and PII at all 700 plus IRS\nlocations. According to IRS management, NISH would serve as the central agency and would\nutilize other NISH-affiliated, nonprofit agencies to perform the specific services required. While\nIRS management was unable to determine what the time period for completion of this transition\nwould be, they have made steady progress in developing the Statement of Work for the national\ncontract.\nSome of the benefits IRS management believes will come with a national contract are:\n1) working with one entity; 2) not having to track down individual contracts and companies; and\n3) greater ease in implementing standards. They are working on a Quality Assurance Plan that\nmandates an inspection and validation to ensure that the contractors are performing up to the\nstandard and are in compliance with the contract. While IRS management believes that a\nnational contract with NISH would provide centralized management of that activity,\ncomprehensive oversight and accountability still rests solely with the IRS. The review, update,\nand control of the various subcontracts should be done at the National Office level. The\nproposed national contract with NISH will bring in many new subcontractors, and site visits will\nhave to be made in order to ensure that taxpayer information is protected. Based on our\ndiscussions with IRS management, the availability of both trained staff and travel funds is a\nmajor concern at the present time. While this national contract would centralize all SBU waste\nand PII disposal and destruction under one vendor and would provide the IRS with a central\npoint of contact, the terms and conditions to be specified under the scope of work for the various\nsubcontractors must be uniform.\n\nRecommendations\nRecommendation 3: We recommend that the Chief, Agency-Wide Shared Services, ensure\nthat all SBU waste contracts (either in place or to be awarded) include the same requirements for\n\n15\n  NISH is a nonprofit agency whose mission is to create job opportunities for people with severe disabilities by\nsecuring Federal contracts through the AbilityOne program, formerly Javits-Wagner-O\xe2\x80\x99Day, for its network of\ncommunity-based, nonprofit agencies. NISH was formerly the acronym for National Industries for the Severely\nHandicapped.\n\n                                                                                                           Page 10\n\x0c                    Increased Management Oversight of the Sensitive but\n                  Unclassified Waste Disposal Process Is Needed to Prevent\n                 Inadvertent Disclosure of Personally Identifiable Information\n\n\nSBU waste disposal/destruction\xe2\x80\x93specifically those covering secure storage, physical\nsecurity-minimum protection standards, restricting access, and disposal\xe2\x80\x93as those contained in\nPublication 1075.\nManagement\xe2\x80\x99s Response: IRS management agreed with this recommendation. They have\nincluded suggested Federal security requirements for SBU waste disposal/destruction in the\nNISH Contract for Document Destruction. Delegated buildings with existing custodial contracts\nthat include document destruction that comply with the Performance Work Statement will be\nexempt from the National Contract.\nRecommendation 4: We recommend that the Chief, Agency-Wide Shared Services, make\nimprovements to the oversight and management of SBU waste contracts by ensuring that:\n   \xe2\x80\xa2   All contracts related to the handling, disposal, and destruction of SBU waste or PII are\n       standardized as to critical elements such as site visits, required minimum level of\n       background investigations, disclosure safeguards, and certificates of destruction.\n   \xe2\x80\xa2   A national database or consolidated list of all IRS field offices and the contractors that\n       serve them is established to identify all contracts related to the handling, disposal, and\n       destruction of SBU waste and PII and the IRS facilities covered by them.\n   \xe2\x80\xa2   Responsibilities for monitoring vendor adherence to contract requirements are clearly\n       defined.\n   \xe2\x80\xa2   IRM requirements are followed in regards to contractor facility site surveys\xe2\x80\x93in particular\n       when shred/burn facilities change location and prior to the awarding of all future\n       contracts.\nManagement\xe2\x80\x99s Response: IRS management agreed with this recommendation.\nRequirements for the handling, disposal, and destruction of SBU/PII have been standardized and\nincorporated into the Performance Work Statement for shred/burn contracts. The Performance\nWork Statement will also standardize requirements for contractor site visits, required minimum\nlevel of background investigations, disclosure safeguards, and certificates of destruction.\nManagement has established a consolidated list of all IRS field offices and servicing SBU and\nPII waste disposal contractors. They have clearly defined responsibilities for monitoring vendor\nadherence to contract requirements and have given ownership of these responsibilities to the\nnational COTR and Territory sub-COTRs. Standard Operating Procedures and a strict\nPerformance Requirements Summary have been created.\n\n\n\n\n                                                                                            Page 11\n\x0c                     Increased Management Oversight of the Sensitive but\n                   Unclassified Waste Disposal Process Is Needed to Prevent\n                  Inadvertent Disclosure of Personally Identifiable Information\n\n\nPolicies Related to Protection and Disposal of Paper Documents\nContaining Personally Identifiable Information Need to Be More\nWidely Communicated and Adhered to by Employees and Contractors\nAt every location we visited, we found documents containing PII or other SBU information in\nregular waste containers and/or dumpsters. For example, in one location from an open dumpster\nlocated outside the building, we obtained a document containing a complete IRS purchase card\nnumber as well as other PII. In another IRS facility, receptacles specifically provided for\nrecyclable materials were the only trash receptacles available at employee workstations. These\ncontainers, which were bright blue and clearly marked \xe2\x80\x9cRECYCLE,\xe2\x80\x9d were being used by\nemployees throughout the day for SBU waste. We observed contractor employees emptying\nthese containers into regular waste carts while employees were not at their desks. In one\nlocation, we found cardboard boxes and trash pails labeled \xe2\x80\x9cCLASSIFIED MATERIAL-DO\nNOT DISCARD.\xe2\x80\x9d This local practice is a significant control weakness when cleaning staff are\nexpected to differentiate between standard SBU waste or PII containers and all other labeled\nwaste receptacles. In addition, these labels can be easily misunderstood by contractor\nemployees.\nAt two different IRS offices we visited, we were told that cleaning staff working in IRS areas\nhad been observed without either proper identification or an escort. We also observed cleaning\nstaff collecting both SBU waste and regular trash at the same time, in contradiction to what we\nhad been told by IRS onsite management was standard procedure.\nWhile a DVD entitled Safeguarding Personally Identifiable Information has been created and\ndistributed throughout the IRS, this DVD focuses almost exclusively on electronic media and\nsecurity of the employee\xe2\x80\x99s actual desk/workstation/laptop. It does not address the proper\ndisposal of SBU waste and documents containing PII. At the time of our review, we were unable\nto identify any IRM guidance which contained updated concepts and terminology such as\n\xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d and \xe2\x80\x9csensitive but unclassified.\xe2\x80\x9d The IRM under Physical\nSecurity Standards covering Information Protection had last been revised in July 2003.\nAs part of the requirements of the IRM Managers Security Handbook and Records Disposition\nHandbook, managers in the functional areas are required to hold annual security briefings and\nprovide a forum for employee discussion. One IRS analyst and a management assistant we\ninterviewed had never heard of PII and both were unaware of the risks associated with the\nimproper disposal of documents containing PII.\nIf security policies are not adequately communicated and adhered to, sensitive taxpayer and\nemployee data are at an increased risk of disclosure or other improper usage. This may be\nexacerbated by the fact that at many IRS locations, nonsensitive paper waste is sold to recycling\nplants in bulk. Sensitive material disposed of improperly could be included in this recycled\nwaste.\n\n\n                                                                                          Page 12\n\x0c                    Increased Management Oversight of the Sensitive but\n                  Unclassified Waste Disposal Process Is Needed to Prevent\n                 Inadvertent Disclosure of Personally Identifiable Information\n\n\nRecommendation\nRecommendation 5: We recommend the Chief, Agency-Wide Shared Services, provide\ncomplete and accurate guidance and education regarding the safeguarding and proper disposal of\nsensitive data by initiating the following:\n   \xe2\x80\xa2   An update to the IRM to incorporate Federal Information Security Management Act of\n       2002 standards and terminology, e.g., PII. Cross references to current legislative\n       documents should be made when necessary.\n   \xe2\x80\xa2   A requirement that annual security briefings for operational areas include group\n       discussions of PII and other current security topics relevant to the area.\n   \xe2\x80\xa2   Additional employee outreach regarding the proper disposal of paper documents as well\n       as the identification for each operational area of what is considered SBU waste and PII.\n   \xe2\x80\xa2   A memorandum to all employees mandating the use of only official authorized containers\n       that are identified for disposal of SBU waste and PII. Employees should be prohibited\n       from using containers designated RECYCLE or any other label. IRS management should\n       ensure that the official authorized containers are available in an adequate number and size\n       to accommodate employee needs.\n   \xe2\x80\xa2   A program to inform contractors and their employees of their responsibilities to follow\n       current IRM guidelines. Among the procedures that should be reviewed are badging,\n       escorts, and disclosure safeguards. This requirement can become part of the Statement of\n       Work between the IRS and the contractor.\nManagement\xe2\x80\x99s Response: IRS management agreed with this recommendation. The IRM\non Information Protection was revised in September 2008 and includes SBU and PII standards\nand terminology. Agency-Wide Shared Services will partner with the Communications and\nLiaison function and the Privacy Office to develop a communications plan on the remaining\npoints of this recommendation to ensure continued awareness around policies and procedures for\nthe destruction of PII and SBU information for both employees and contractors.\n\n\n\n\n                                                                                          Page 13\n\x0c                       Increased Management Oversight of the Sensitive but\n                     Unclassified Waste Disposal Process Is Needed to Prevent\n                    Inadvertent Disclosure of Personally Identifiable Information\n\n\n                                                                                                Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of our review was to determine whether the IRS has established effective\ncontrols to ensure that security measures related to the disposal of tax and other SBU information\nare adequate to prevent disclosure of PII. 1 To accomplish our objective, we:\nI.      Identified IRS office locations nationwide and determined the risk of disclosure based on\n        types of buildings, leases, tenancy, number of IRS employees occupying office space,\n        and SBU waste/PII disposal contract requirements.\n        A. Obtained documentation of current IRS office inventory.\n        B. Interviewed key Real Estate and Facilities Management function personnel to\n           determine how SBU waste contracts are awarded and monitored.\n        C. Obtained copies of current contracts from IRS management to ensure that they\n           contain all of the required security and safeguard provisions. We identified current\n           IRS procedures and guidelines for achieving compliance with these provisions. We\n           evaluated the IRS\xe2\x80\x99 compliance with contract procedures.\n        D. Created a questionnaire to be completed by the 14 Territory Managers 2 relative to the\n           scope of work regarding collection and transport of SBU waste/PII, as well as\n           shred/burn or other SBU waste/PII destruction contracts.\nII.     Conducted site visits at 15 IRS locations in 7 cities based on information received from\n        the Real Estate and Facilities Management function.\n        A. Determined whether the IRS has adequately informed/educated their employees\n           regarding the proper disposal of SBU waste/PII.\n             1. Requested and reviewed pertinent information/educational documents provided to\n                IRS employees on the subject of SBU waste/PII and policies and procedures for\n                its disposal.\n\n\n\n\n1\n Tax returns and return information are to be considered SBU information. PII is a specific type of SBU.\n2\n Territory Managers are responsible for Real Estate and Facilities Management and Building Management\nprograms, servicing customers in geographically dispersed posts of duty in their assigned territories.\n                                                                                                           Page 14\n\x0c                         Increased Management Oversight of the Sensitive but\n                       Unclassified Waste Disposal Process Is Needed to Prevent\n                      Inadvertent Disclosure of Personally Identifiable Information\n\n\n             2. Confirmed or clarified current procedures through discussions with appropriate\n                management and analysts at the selected sites (COTRs 3 where applicable).\n         B. Identified and obtained documentation of guidance provided to the Area Offices (e.g.,\n            the IRM, Internal Revenue Code \xc2\xa7 6103, National Headquarters Office\n            memorandums). This included identifying national policies and practices (e.g., The\n            Privacy Act of 1974 4 and The E-Government Act of 2002 5 ).\n         C. Interviewed and observed a judgmental sample of employees who were in the office\n            the day of our visits in order to obtain feedback on whether appropriate separation of\n            printed materials was executed.\n         D. Observed and inspected shred/burn bins for proper labeling and separation.\n         E. Inspected employee SBU waste/PII/recycle/wet waste or other containers for\n            appropriate separation of materials.\n         F. Inspected shredders where provided.\n         G. Inspected SBU waste holding areas.\nIII.     Determined whether waste disposal contractors are providing adequate protection of\n         sensitive taxpayer information and verified conformance with Government-wide policies.\n         A. Observed pickup of SBU waste from IRS locations.\n         B. Observed transfer of waste from IRS locations to waste disposal facilities.\n         C. Conducted unannounced inspections at four off-site waste disposal facilities and\n            reviewed required logs or other documentation.\n         D. Observed and evaluated storage and destruction of SBU waste material at waste\n            disposal facilities.\n         E. Determined whether the IRS has provided adequate oversight to ensure that\n            unannounced inspections of waste disposal facilities were completed and that waste is\n            being destroyed properly and according to established time periods.\nIV.      Using the results of information obtained in Steps I. through III., determined whether the\n         IRS is providing adequate oversight of SBU waste/PII disposal to prevent disclosure of\n         sensitive taxpayer information.\n\n\n3\n  The COTR is a person designated by the Contracting Officer to perform certain administrative tasks related to a\nspecific contract. The primary role of the COTR is to monitor the contractor\xe2\x80\x99s performance, ensure that the\ncontractor delivers what is called for in the contract, and serve as the technical liaison between the contractor and the\nContracting Officer.\n4\n  5 U.S.C. \xc2\xa7 552a (2000).\n5\n  Pub. L. No. 107-347 Title III, Section 301 (2002).\n                                                                                                               Page 15\n\x0c                    Increased Management Oversight of the Sensitive but\n                  Unclassified Waste Disposal Process Is Needed to Prevent\n                 Inadvertent Disclosure of Personally Identifiable Information\n\n\n                                                                             Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Compliance and Enforcement\nOperations)\nKyle R. Andersen, Director\nBernard F. Kelly, Audit Manager\nNancy Van Houten, Lead Auditor\nMargaret F. Filippelli, Senior Auditor\n\n\n\n\n                                                                                      Page 16\n\x0c                   Increased Management Oversight of the Sensitive but\n                 Unclassified Waste Disposal Process Is Needed to Prevent\n                Inadvertent Disclosure of Personally Identifiable Information\n\n\n                                                                  Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDirector, Real Estate and Facilities Management OS:A:RE\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Deputy Commissioner for Operations Support OS\n       Chief, Agency-Wide Shared Services OS:A\n\n\n\n\n                                                                         Page 17\n\x0c       Increased Management Oversight of the Sensitive but\n     Unclassified Waste Disposal Process Is Needed to Prevent\n    Inadvertent Disclosure of Personally Identifiable Information\n\n\n                                                      Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                             Page 18\n\x0c   Increased Management Oversight of the Sensitive but\n Unclassified Waste Disposal Process Is Needed to Prevent\nInadvertent Disclosure of Personally Identifiable Information\n\n\n\n\n                                                         Page 19\n\x0c   Increased Management Oversight of the Sensitive but\n Unclassified Waste Disposal Process Is Needed to Prevent\nInadvertent Disclosure of Personally Identifiable Information\n\n\n\n\n                                                         Page 20\n\x0c   Increased Management Oversight of the Sensitive but\n Unclassified Waste Disposal Process Is Needed to Prevent\nInadvertent Disclosure of Personally Identifiable Information\n\n\n\n\n                                                         Page 21\n\x0c   Increased Management Oversight of the Sensitive but\n Unclassified Waste Disposal Process Is Needed to Prevent\nInadvertent Disclosure of Personally Identifiable Information\n\n\n\n\n                                                         Page 22\n\x0c   Increased Management Oversight of the Sensitive but\n Unclassified Waste Disposal Process Is Needed to Prevent\nInadvertent Disclosure of Personally Identifiable Information\n\n\n\n\n                                                         Page 23\n\x0c'